5G operators and vendors have long claimed the latest generation of wireless network architecture delivers security improvements over 4G. However, it also introduces new features and services that expands the threat surface to systems previously untouched by wireless networks.
Efforts such as the virtualization of radio access networks and a push to open interfaces, allowing operators to integrate a wider pool of software and equipment from vendors, further complicates risk assessments.
The network architecture also allows carriers to deliver network slicing over shared physical infrastructure, private networks and mobile edge computing.
Three years after the first 5G networks went live, the Cybersecurity and Infrastructure Security Agency in May issued a five-step security evaluation to counter these threats, vulnerabilities and supply chain concerns facing enterprises and government agencies.
CISA provided guidelines and 5G configurations that federal agencies should implement to bolster security. It also placed 5G under the Risk Management Framework, a cybersecurity evaluation system developed by the National Institute of Standards and Technology.
CISOs, especially those engaged with government agencies on 5G networks, should consider CISA’s advice to follow zero-trust architecture principles and implement DevSecOps pipelines that integrate infrastructure as code capabilities, said Ron Westfall, senior analyst and research director at Futurum Research.
“CISOs need to adhere just as stringently to CISA guidelines and could stand out by helping U.S. government risk managers identify the best security assistance programs and best practice assessment frameworks,” he said via email.
CISA is effectively setting the bar high by pinning 5G security evaluations to NIST guidelines and aligning with what are generally considered best practices in any industry.
CISOs should follow those as a baseline for their own processes, said Michela Menting, research director at ABI Research.
The proposal marks the beginning of a long evaluation and response by the U.S. government, and it’s expected to be continuously revised as 5G technology advances and introduces new services that present additional risk.
“5G is still a nascent technology and common, full standalone deployment is still some years away,” Menting said. Most 5G networks today are anchored to 4G cores, which poses limits on what operators can deliver.
Standalone 5G networks, which effectively cut the cord with older systems, haven’t materialized as quickly as expected.
As that happens, 5G operators intend to deliver advanced services riding on cloud-native technologies and software that will extend network infrastructure to private enterprise networks and applications running at the edge.
How the next wave of 5G will be leveraged and deployed remains unclear and this makes security evaluation and risk assessment difficult, Menting said. New market players, including hyperscalers, cloud service providers, software and application developers, cybersecurity vendors, resellers and systems integrators are offering products and services within the telco space for the first time.
“The most prevailing security challenge in 5G infrastructure is the significant expansion of the attack surface in relation to pre-5G networks,” Westfall said.
The disaggregation of hardware and software and a larger vendor pool introduces new threats to virtual machines and container service platforms integrated across 5G network architecture. This includes the 5G core, radio access networks, mobile edge computing, network slicing, virtualization, and orchestration and management.
Potential threats cited by CISA include vulnerabilities and malicious code or systems across the supply chain that can occur during the provisioning and deployment of software and hardware in 5G networks and services.